Asked by:

Windows 2008 R2 Mandatory Profile GPO

Question

I am trying to configure Mandatory profiles for any user who logs onto any of our Windows 2008 R2 servers. I have a test environment consisting of a 2008 R2 DC and a few 2008 R2 Application servers. The process I followed was this:

On the DC I created a foler on the c: drive and called it profile, then shared it as profiles$ with authenticated users and domain admins with full control. Set the NTFS permissions to Authenticted users read and Domain Admins full.

Then I Logged onto one of the 2008 servers, created a local user called Mandatory, logged on with that user, modified the desktop and added some files to the desktop, logged off then logged back on with a Domain admin account. Copied the local user folder
for Mandatory including hidden files to the share
\\Server\profile$\mandatory .

Then I imported the NTUSER.DAT into regedit removed the permissions and added Authenticated users ( READ ) and Domain Admins (Full ) and unloaded the hive. Rnamed NTUSER.DAT to NTUSER.MAN and renamed the Mandatory folder to Mandatory.V2.

Now I created a new GPO and enabled "Use Mandatory profiles aon the RD Session Host Server" and enabled "Set path for Remote Desktop Services Roaming User Profile" with the path of
\\Server\Profile$\Mandatory

I then linked the GPO to the OU containing the Windows 2008 R2 servers, quick GPUpdate on the server then logged in. The profile is not the mandatory one. I have tried enabling loopback for the goup policy applying filtering to all
users and the computer account but still no mandatory profile is applied for any user logging on. An RSOP shows that the GPO is processed and applied as I have made some other changes to the GPO and the settings do apply. Yet the Mandatory profile doesn't
apply. When logged on if you go to %userprofile% it points to the local cache i.e C:\users\username and I can make changes that are still there when logging off and back on again.

All replies

This policy setting allows you to specify whether Remote Desktop Services uses a mandatory profile for all users connecting remotely to the RD Session
Host server.

If you enable this policy setting, Remote Desktop Services uses the path specified in the
Set path for Remote Desktop Services Roaming User Profile policy setting as the root folder for the mandatory user profile. All users connecting remotely to the RD Session Host server use the same user profile.

Note:

For this policy setting to take effect, you must also enable and configure the
Set path for Remote Desktop Services Roaming User Profile policy setting.

You can also open
Start, click RUN, type CMD, press
Enter, type GPRESULT /H GPReport.html in Terminal server Command prompt, then you can check the report whether the Group Policy has been successfully applied .

Hi, thanks for the feedback, but as I mentioned in my post I hve already set up theGPO with those options enabled:

"Now I created a new GPO and enabled "Use Mandatory profiles aon the RD Session Host Server" and enabled "Set path for Remote Desktop Services Roaming User Profile" with the path of
\\Server\Profile$\Mandatory"

Oh - Also! Before you can import/export the Mandatory profile into the registry, you need to delete
Local and LocalLow from the \AppData folder. That, combined with renaming the .DAT to .MAN makes it mandatory.

Hope that information helps, unless you've already figured it out, in which case, Well Done! :)

Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.